Documente Academic
Documente Profesional
Documente Cultură
Infrastructure systems for which continuity is so important that loss, significant interruption or degradation of service would have grave social consequences.
Source : National Infrastructure Security Coordination Centre, UK
Nate Kube
nkube@wurldtech.com
Power generation and distribution Oil and gas refining and distribution Water and waste systems Chemical processing and transport Manufacturing Telecommunications Banking
Most critical infrastructures are controlled by a web of dedicated computers. Typically known as Supervisory Control And Data Acquisition (SCADA) systems.
Also Known As
Process Control Systems Distributed Control Systems (DCS) Programmable Logic Controllers (PLC) Intelligent Electronic Device (IED)
For many years SCADA systems were proprietary, isolated systems. Typical industry view Most public utilities rely on a highly customized SCADA system. No two are the same, so hacking them requires specific knowledge.
Debunking the Threat to Water Utilities, CIO Magazine, March 15, 2002
Today industry is experiencing massive changes as new network technologies are used:
Windows-based operator stations Web technologies in control equipment Ethernet and TCP/IP networks Wireless networking
ISID tracks network cyber incidents that directly impact industrial and SCADA operations. Both malicious and accidental incidents are tracked.
64
22*
20*
18 13
9 1
5 1 2 2 2 3
6 4 1
ike ly
fir m
tU nc on
on f
or
oa x/ Ur b
an
Le ge
Un l
nd
ed
19 99
20 01
20 02
19 98
20 00
19 94
-1 99 3
19 95
19 96
19 97
20 03
20 04
Li ke l
19 8
Se pt .
20 05
nk no
Bu
Accidental 58%
Accidental 32%
Internal 15%
Worlds in Collision
No Problem?
None of this would be a problem if those plant floor people just used proper security policies whats wrong with them?
IT Manager after a Security Incident
Problems occur because assumptions that are valid in the IT world may not be on the plant floor.
Ping sweep was being performed on network that controlled 9-foot robotic arms. One arm became active and swung 180 degrees. The controller for the arm was in standby mode before the ping sweep was initiated. Luckily, the person in the room was outside the reach of the arm.
An ISS scan was performed on a food manufacturers network. Some packets made it onto PLC network. Caused all PLCs controlling the cookie manufacturing to hang. Destruction of $1M worth of product.
A gas utility hired a security company to conduct penetration testing on their corporate IT network. Consultant ventured into the SCADA network. Penetration tool locked up the SCADA system. Gas utility was not able to send gas through its pipelines for four hours.
Ethernet, IP, TCP, UDP, HTTP, SNMP, etc. MODBUS, ProfiNet, EtherNET/IP, etc.
What does the device really do? Is the device stable under typical DoS attacks? Is the device secure for buffer overflows, etc.?
A Multi-pronged Approach
Profiling Tools: Fingerprinting control devices and determining possible vulnerable services. Known Flaw Testing: Check for well-known flaws. Resource Starvation Testing: Check what happens if bombarded with traffic or requests. Specification Testing: Detecting boundary values and flaws based on specifications. Fuzz Testing: Directed pseudo-randomly created data sets to detect unexpected behaviour.
Achilles Demo
Testing against three major brands of PLC, two ESD and two DCS has uncovered:
9 critical vulnerabilities; 42 warning notices; 7 informational notices.
Create and promote control system security best practises and standards. Develop recommendations for securing vulnerable control systems. Get security QA standards developed.